Privacy protections tested

Is the primary federal privacy law up to the task of protecting patient information in the 21st century?

It's a question we put to opinion leaders in the legal, research, policy, ethics, provider and technology fields within the healthcare privacy community. It comes as hospitals and office-based physicians ramp up adoption of electronic health-record systems and join information exchanges to qualify for their share of the $27 billion in federal information technology subsidy payments available under the American Recovery and Reinvestment Act of 2009, also known as the stimulus law.

The key federal privacy law, the Health Insurance Portability and Accountability Act, was passed in 1996, an era in which the public Internet still was in its infancy.

HIPAA identified providers, payers and clearinghouses as the primary claims-creating and -handling organizations and singled them out as “covered entities” under the law, meaning they are required to comply with the law's mandates on data transaction standards and security. The HIPAA privacy protection scheme centered on them as well.

Thus, what we'll call the HIPAA paradigm sought to protect patient privacy mainly by placing a regulatory fence around this special class of organizations and individuals. Businesses that handled some of the data-processing tasks for covered entities were exempt from direct liability for privacy violations, but were contractually roped into the scheme through business associate agreements with the covered entities.

This regulatory paradigm continues to this day, with some modifications Congress enacted last year as part of the stimulus law, such as making business associates liable under HIPAA for privacy violations. By extending direct liability to business associates, in effect, the stimulus law moved the HIPAA regulatory fence out a bit, but kept covered entities in the center of the enclosure.

Federal officials have spoken often about the “foundational” importance of privacy and security. The argument goes like this: If patients don't trust that their information will be kept safe, then they won't agree to have their information stored or shared on IT systems, so the potential quality and safety and cost improvements afforded by those systems—and the government's investments in them—will come to naught.

David Blumenthal, head of the Office of the National Coordinator for Health Information Technology at HHS, said as much when he addressed an Aug. 4 meeting in Washington hosted by the Substance Abuse and Mental Health Services Administration, part of HHS.

Of the many health IT activities undertaken by his office, Blumenthal said, “none is more important than the issue that we're talking about today, generically, and that is privacy and security of healthcare information.”

“We work within the HIPAA framework, and that's extremely useful as a foundation, but we are aware that HIPAA was not constituted with the electronic age in mind, and we were tasked by the Congress with pushing beyond it,” Blumenthal said. But not everyone shares Blumenthal's faith in the usefulness of HIPAA going forward.

Hardly a week goes by when the efficacy of the HIPAA privacy paradigm in the new information age isn't called into question. For example:

Last year, parents sued the Texas Department of State Health Services when they learned blood samples, taken from infants for public health purposes, were used without parental consent for research. The suit led to the destruction of more than 5 million samples.

In February, the not-for-profit news website Texas Tribune reported the same state program also provided hundreds of the infant blood samples to the Armed Forces DNA Identification Laboratory for the creation of a genetics database to be used for military, law enforcement and security purposes.

In May, PatientsLikeMe, a social-networking site for patients with serious and life-ending diseases ranging from depression to ALS, discovered, according to its co-founder, that it had been scraped of members' information by an unauthorized data-collection service run by the Nielsen Co., a global marketing research firm. A Nielsen spokesman says it has halted what he called a “legacy” practice.

In all of these cases, HIPAA was not a factor because the parties, despite handling massive amounts of sensitive patient information, are not covered entities and thus operate outside the regulatory fence of the HIPAA paradigm.

In 1996, in drafting HIPAA, Congress gave itself three years to write supplemental legislation to flesh out HIPAA's bare bones structure on patient privacy. Congress failed to act in time, which triggered a HIPAA provision that transferred the responsibility for writing a complete HIPAA privacy rule to HHS. Staffers at HHS produced the initial HIPAA privacy rule in 2000. That early version called for covered entities to obtain patient consent for treatment, payment and other healthcare operations, the latter being something of a catch-all category that includes fundraising and medical underwriting.

But in 2002, HHS rewrote the HIPAA privacy rule, granting “regulatory permission” to covered entities to disclose patient information for treatment, payment and other healthcare operations without patient consent. It was a fundamental change, one that privacy advocates say may soon come back to haunt federal regulators who are now pushing hard for EHR adoption and interoperability.

The HIPAA paradigm, however, is not the only regulatory game in town, even at the federal level. Congress, for example, provided veterans with their own consent protection for records involving diagnosis or treatment of drug or alcohol abuse, HIV/AIDS or sickle cell anemia. Similarly, in 1972, Congress passed a law protecting the records of patients of federally funded treatment programs for alcohol and drug abuse.

The law is more commonly known by its location in the Code of Federal Regulations of its attendant rule, 42 CFR Part 2. Both the law and the rule apply to thousands of healthcare organizations, according to Catherine O'Neill, senior vice president and director of HIV/AIDS projects at the Legal Action Center in New York. The not-for-profit center advocates on behalf of drug- and alcohol-abuse patients and persons with criminal records.

Like the veterans' law, 42 CFR Part 2 also requires, in most cases, written patient consent for the disclosure of drug or alcohol treatment records. But unlike the veterans' law or the HIPAA paradigm, where the requirement is attached to the organization, with 42 CFR Part 2, the consent obligation flows with the data. When treatment records are moved and come into the possession of another provider or organization, the rule essentially states, “tag, you're it,” and that new provider in possession is obliged to seek patient consent to disclose those records to anyone else.

Despite the elimination of consent by HHS for most healthcare information, the SAMHSA fully supports retention of the consent requirement for drug and alcohol treatment records in 42 CFR Part 2, says Robert Lubran, acting director of the division of services improvement at the SAMHSA. “I think it provides a principle that people here at least feel is very important in terms of keeping this in the control of the consumer,” Lubran says.

Longtime privacy researcher Alan Westin, in his seminal book Privacy and Freedom, published in 1967, declared: “Privacy is the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.”

Westin, professor emeritus in public law and government at Columbia University, served as lead consultant on a 2007 survey by Harris Interactive on public opinion regarding privacy and healthcare research and the importance of patient consent. Westin says the removal of consent from HIPAA by federal rulemakers in 2002 “left us high and dry,” but with the improvements to HIPAA in the stimulus law, “I think the raw materials for excellence are there.” Privacy protection will depend again on HHS rulemakers, however, he says. (A proposed privacy rule addressing HIPAA modifications from the stimulus law was released by HHS in July, but a final rule is pending.) If it's not addressed, Westin says, don't be surprised if there is consumer backlash.

“I think we're at a pivotal moment,” Westin says, given the massive inflows of federal IT subsidies about to begin. “Just imagine a lawsuit as a class action with all the people who would otherwise be swept into a network saying, ‘I did not give my consent,' and asking the court to intervene.”

Meanwhile, Westin says he sees “a dangerous trend” developing in healthcare IT in which patients are regarded as “inert data elements, not conscious persons” who have the right to make informed choices regarding “how their health information is used beyond the direct care settings. "You have to have privacy orienting systems at the design,” he says. “If the plumbing all gets in, it's going to be very costly to tear it down and change it.”

While much of the federal privacy focus is on HIPAA, in the U.S., “what we're really talking about is a mosaic of policies,” says Ioana Singureanu, a health IT standards development consultant with her own firm, Eversolve, in Windham, N.H.

Singureanu has been a member since 1997 of Health Level Seven, a prominent healthcare IT standards development organization. Most recently, she's been working with HL7 on developing guidelines for electronic patient consent directives for EHRs and data exchanges.

While HIPAA places a privacy floor under both the states and the federal government, “the floor has to be raised, that's quite clear,” Singureanu says. “If you raise the floor, then you can make this mosaic a little bit more manageable.”

But reliance on policies as the sole protector of individual privacy won't work, either, she says. Technology itself needs to be brought to bear to create tools to aid providers in enforcing those publicly evolved privacy policies. “I think the systems of the future will have to be more proactive, to prevent you from doing what you're not allowed to do by policy,” she says.

“The technology exists already to protect certain information that meets specific criteria,” she says. “That's not too different than the quality measures that people are being asked to collect automatically. The challenge is to formulate rules in such a way that they actually live up to the spirit of the policy.”

Singureanu says Australia and the Canadian province of British Columbia, as well as the U.S. Veterans Affairs Department's health system, all “have some sort of form they use to record your preferences. These are in use now.” Other countries also do well in providing technologies for patients to revoke previously given consent, she says.

IT-enabled privacy protection functions need to be included in EHR certification criteria and their use made part of the meaningful-use criteria under the stimulus law's EHR incentive program, she says.

Kenneth Goodman, professor of medicine and philosophy and the director of the bioethics program at the University of Miami, says he sees HIPAA as part of the health IT furniture.

“Is HIPAA a good place to start for moving into the new world of ubiquitous IT?” Goodman asks. “It better be. Because starting over isn't a practical or politically viable option. I'm sure if the framers of HIPAA would have do-overs, they'd do it differently. I believe that HIPAA can be improved. It's the best we've got.”

Goodman co-authored an article on ethics, policy, EHRs and biobanking published in February in Science Progress, an online science and policy magazine of the liberal Center for American Progress, a Washington-based think tank. In it, Goodman argues that individuals have an obligation to provide access to their healthcare information for the public good and that society has both a right and a duty to use that information to improve community health.

A new challenge will be to regulate against the abuse of data outside the scope of HIPAA. “You encounter personal health records, where people put their health information on a cell phone, or on Google and Microsoft, and Google and Microsoft are not covered entities. We need to figure out what the privacy framework is for personal health records and other sharing of personal information.”

Deborah Peel is the practicing psychiatrist who founded the Patient Privacy Rights Foundation in Austin, Texas. To Peel, the HIPAA paradigm is obsolete and inadequate and needs to be replaced.

“You can't draw a fence around who has sensitive health information,” Peel says. “It might have made sense 20 years ago, but it is a model that doesn't fit the realities of today. It's based on an anachronistic view of the healthcare system, as if it's totally separate from everything else in business and in life, and if technology has taught us anything, it's that that's not effective.”

Peel also says the 42 CFR Part 2 framework should be applied to all patient data. “Healthcare information, because of the Internet, is everywhere; therefore, the protections must follow the data,” she says. “If we don't say a damn word about social media and websites and the rest, we lose because that information is out there in all of those places.”

Mark Rothstein, a lawyer and the director of the Institute for Bioethics, Health Policy and Law at the University of Louisville (Ky.) School of Medicine, says he's been “a proponent of comprehensive privacy legislation for a long time, which we don't have, and nobody's talking about this. What I mean by comprehensive is we don't have it limited to a group of three covered entities. It applies to everyone who accesses and uses private health information.”

But Rothstein, who served as chairman of the subcommittee on privacy and confidentiality of the National Committee on Vital and Health Statistics, an advisory committee to HHS, from 1999 to 2008, concedes that major legislative changes to the HIPAA paradigm, as much as it is needed, are unlikely.

One lesser change Rothstein suggests would be helpful is to add to HIPAA the right of an individual to sue a privacy violator in federal court. “It would certainly act as a deterrent to wrongdoing,” Rothstein says. “The wrongdoers would be at risk from civil judgment. Now, all you have to do is promise not to do it again, if it gets that far.”

“The other thing we ought to take a look at is the nonconsensual using of discarded information,” Rothstein says.

Consent is key, according to Rothstein, who cited the Texas cases in support of his argument. “One mother sued, and as result of the lawsuit, 5.3 million blood samples were destroyed,” Rothstein says. A state law passed in the wake of the uproar gave parents the right to opt out of the collection program. “Since then, the opt-out rate is only 3%,” Rothstein says. “But they want to be asked.”

Pam Dixon, the founder and executive director of the World Privacy Forum, says HIPAA is only “a beginner framework” that “we've grown out of now.”

“There has to be an entirely new approach and it has to start with governance,” she says. Dixon, who has served as a member of the state-chartered California Privacy and Security Advisory Board since 2008, says the U.S. needs to create the position of a national data commissioner on privacy with broad authority across all industries, not just healthcare. “We're the only industrialized country that doesn't have this.”

One of the clearer windows on Internet-based threats to personal privacy is the case of social media site PatientsLikeMe confronting market researcher Nielsen.

“Nielsen posed as a depressed patient, and then they turned on a computer once they were logged in,” says Jamie Heywood, co-founder and board chairman of PatientsLikeMe. What Nielsen gathered while there was “data that was available to the community—to 70,000 people,” he says. But the point, according to Heywood, is Nielsen didn't ask, it took.

“When we sell our data, we contractually require our clients to do certain things,” he says. “They can't re-identify the data. We feel we have a moral contract with our customers to make the world better. What Nielsen did was they went in and took data that was available and sold it with none of the restrictions that we work under. So we stopped them. We sent them a cease-and-desist letter. They broke a legal contract when you sign on to our site.”

Nielsen spokesman Matt Anchin, in response to questions about the company's doings on the PatientsLikeMe website, says the activities were conducted by a Nielsen service called BuzzMetrics. Anchin would not say who, even by the type of industry, uses BuzzMetrics data, or for what purpose. “We became aware of it and we stopped it,” Anchin says.

“There is no such thing as de-identified data any longer,” Heywood says. “Anyone who has a state, age and gender and a couple of diagnoses is pretty much identifiable to every doctor and insurance company.”

Editor's note: This is an expanded version of the story published in the Nov. 22, 2010, issue of Modern Healthcare.